Azure-Sentinel/Detections
Ajeet Prakash (MSTIC) 4b19102df3 Removing Case sensitivity related to MemberName. The difference between CN= and cn= cause result disparities. 2021-08-16 10:56:50 -07:00
..
ASimAuthentication Update imSigninAttemptsByIPviaDisabledAccounts.yaml 2021-08-16 13:33:45 +03:00
ASimDNS Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate. 2021-08-12 10:58:18 -07:00
ASimFileEvent Update imFileESolarWindsSunburstSupernova.yaml 2021-08-16 09:07:03 +03:00
ASimProcess File Event, schema, parsers and detections (#2775) 2021-08-03 18:11:08 +03:00
AWSCloudTrail changes 2021-05-11 08:52:54 +03:00
AlsidForAD changes 2021-05-11 08:52:54 +03:00
AuditLogs Update RareApplicationConsent.yaml 2021-07-02 08:10:54 -07:00
AzureActivity fix Azure Activity query 2021-05-24 12:24:34 +03:00
AzureAppServices Update AVScan_Failure.yaml 2021-06-10 20:09:19 +03:00
AzureDevOpsAuditing changes 2021-05-11 08:52:54 +03:00
AzureDiagnostics changes 2021-05-11 08:52:54 +03:00
AzureFirewall changes 2021-05-11 08:52:54 +03:00
CiscoUmbrella changes 2021-05-10 15:54:50 +03:00
Cognni PR fixes 2021-05-30 15:17:10 +03:00
CommonSecurityLog Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate. 2021-08-12 10:58:18 -07:00
CyberpionSecurityLogs changes 2021-05-10 15:54:50 +03:00
DeviceEvents changes 2021-05-11 08:52:54 +03:00
DeviceFileEvents changes 2021-05-11 08:52:54 +03:00
DeviceNetworkEvents changes 2021-05-10 15:54:50 +03:00
DeviceProcessEvents Update AdFind_Usage.yaml 2021-05-18 16:47:48 +03:00
DnsEvents Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate. 2021-08-12 10:58:18 -07:00
Duo Security Update TrustMonitorEvent.yaml 2021-07-19 08:27:16 +03:00
EsetSMC changes 2021-05-11 08:52:54 +03:00
GitHub Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate. 2021-08-12 10:58:18 -07:00
InfobloxNIOS Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate. 2021-08-12 10:58:18 -07:00
LAQueryLogs changes 2021-05-11 08:52:54 +03:00
MultipleDataSources Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate. 2021-08-12 10:58:18 -07:00
OfficeActivity Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate. 2021-08-12 10:58:18 -07:00
OktaSSO Check if Published_t exists to use 2021-06-03 23:32:25 -07:00
ProofpointPOD changes 2021-05-11 08:52:54 +03:00
PulseConnectSecure changes 2021-05-11 08:52:54 +03:00
QualysVM changes 2021-05-11 08:52:54 +03:00
SecurityAlert Update CorrelateIPC_Unfamiliar-Atypical.yaml 2021-06-13 14:16:37 -07:00
SecurityEvent Removing Case sensitivity related to MemberName. The difference between CN= and cn= cause result disparities. 2021-08-16 10:56:50 -07:00
SigninLogs Remove events from without signins 2021-06-23 17:45:20 +02:00
SophosXGFirewall changes 2021-05-11 08:52:54 +03:00
SymantecProxySG changes 2021-05-11 08:52:54 +03:00
SymantecVIP changes 2021-05-11 08:52:54 +03:00
Syslog changes 2021-05-11 08:52:54 +03:00
ThreatIntelligenceIndicator Merge branch 'master' into shaharBranch2 2021-05-19 10:12:21 +03:00
TrendMicroXDR changes 2021-05-11 08:52:54 +03:00
VMwareCarbonBlack changes 2021-05-11 08:52:54 +03:00
VectraAI fix kql in Behavior-insights 2021-05-21 15:31:21 -07:00
W3CIISLog Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate. 2021-08-12 10:58:18 -07:00
ZoomLogs changes 2021-05-11 08:52:54 +03:00
http_proxy_oab_CL changes 2021-05-10 15:54:50 +03:00
readme.md Update readme.md 2021-05-08 18:58:44 +03:00

readme.md

About

This folder contains Detections based on different types of data sources that you can leverage in order to create alerts and respond to threats in your environment.

For general information please start with the Wiki pages.

More Specific to Detections:

  • Contribute to Analytic Templates (Detections) and Hunting queries
  • Specifics on what is required for Detections and Hunting queries is in the Query Style Guide
  • These detections are written using KQL query langauge and will provide you a starting point to protect your environment and get familiar with the different data tables.
  • To enable these detections in your environment follow the out of the box guidance (Notice that after a detection is available in this GitHub, it might take up to 2 weeks before it is available in Azure Sentinel portal).
  • The rule created will run the query on the scheduled time that was defined, and trigger an alert that will be seen both in the SecurityAlert table and in a case in the Incidents tab

Feedback

For questions or feedback, please contact AzureSentinel@microsoft.com